54.1 Controlling User Access to the Internet

You can use the GroupWise GWIA’s Access Control feature to configure a user’s ability to send and receive SMTP/MIME messages to and from Internet recipients and to access his or her mailbox from POP3 or IMAP4 email clients. In addition to enabling or disabling a user’s access to features, you can configure specific settings for the features. For example, for outgoing SMTP/MIME messages, you can limit the size of the messages or the sites to which they can be sent. By default, there are no limitations.

Access Control can be implemented at a user, distribution list, post office, or domain level.

Choose from the following information to learn how to set up and use Access Control.

54.1.1 Classes of Service

A class of service is a specifically defined configuration of GWIA privileges. A class of service controls the following types of access activities:

  • Whether SMTP/MIME messages are allowed to transfer to and from the Internet

  • Whether SMTP/MIME messages are allowed to transfer to and from specific domains on the Internet

  • The maximum size of SMTP/MIME messages that can transfer to and from the Internet

  • Whether SMTP/MIME messages generated by GroupWise rules are allowed to transfer to the Internet

  • Whether IMAP4 clients are allowed to access the GroupWise system

  • Whether POP3 clients are allowed to access the GroupWise system, and if allowed, how messages to and from POP3 clients are managed by the GroupWise system

The default class of service, which all users belong to, allows incoming and outgoing SMTP/MIME messages, and allows POP3 and IMAP4 access. You can control user access, at an individual, distribution list, post office, or domain level, by creating different classes of service and adding the appropriate members to the classes. For example, you could create a class of service that limits the size of SMTP/MIME messages for a selected individual, distribution list, post office, or domain.

Because you can assign membership at the user, distribution list, post office, and domain level, it is possible that a single user can be a member of multiple classes of service. This conflict is resolved hierarchically, as shown in the following table:

Membership assigned to a user through a...

Overrides membership assigned to the user through the...

domain

  • default class of service

post office

  • default class of service

  • domain

distribution list

  • default class of service

  • domain

  • post office

user

  • default class of service

  • domain

  • post office

If a user’s membership in two classes of service is based upon the same level of membership (for example, both through individual user membership), the class that applies is the one that allows the most privileges.

IMPORTANT:The GWIA uses the message size limit set for the default class of service as the maximum incoming message size for your GroupWise system. Therefore, you should set the message size for the default class of service to accommodate the largest message that you want to allow into your GroupWise system. As needed, you can then create other classes of service with smaller message size limits to restrict the size of incoming messages for selected users, distribution lists, post offices, or domains. Methods for restricting message size within your GroupWise system are described in Section 12.3.5, Restricting the Size of Messages That Users Can Send.

Attachments to incoming SMTP messages are included in the mime.822 file, in addition to being attached to the message. Therefore, attachments contribute twice to the size of the overall message. Take this account when determining the maximum incoming message size for your GroupWise system.

54.1.2 Creating a Class of Service

  1. In ConsoleOne, right-click the GWIA object, then click Properties.

  2. Click Access Control > Settings to display the Access Control Settings page.

    Access Control Settings property page
  3. Click Create to display the Create New Class of Service dialog box.

    Create New Class of Service dialog box
  4. Type a name for the class, then click OK to display the Edit Class of Service dialog box.

    SMTP Incoming tab of the Edit Class of Service dialog box
  5. On the SMTP Incoming tab, choose from the following options:

    Inherit Access: Select this option if you want members of this class of service to inherit their SMTP Incoming access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.

    Allow Incoming Messages: Select this option to allow members of the class of service to receive email messages through the GWIA. You can use the Exceptions option to prevent messages from specific Internet sites.

    Prevent Incoming Messages: Select this option to prevent email messages coming from the Internet. You can use the Exceptions option to allow messages from specific Internet sites.

    NOTE:If a member of the class of service to allow or prevent has an alias, you must also add the member’s alias to the class of service. Ongoing use of aliases is not recommended. For more information, see Section 5.14, Gateway Alias Migration.

    Prevent Messages Larger Than: This option is available only if you chose Allow Incoming Messages or Prevent Incoming Messages. In the case of Prevent Incoming Messages, this option only applies to messages received from Internet sites listed in the Allow Messages From list.

    If you want to set a size limit on incoming messages, select the limit.

    Internet messages that exceed the limit are not delivered. The sender receives an email message indicating that the message is undeliverable and including the following explanation:

    Message exceeds maximum allowed size

    IMPORTANT:If you have also set a message size limit for your MTAs, as described in Section 42.2.1, Restricting Message Size between Domains, make sure that the MTA message size limit is equal to or greater than the GWIA message size limit.

    Exceptions: This option is available only if you chose Allow Incoming Messages or Prevent Incoming Messages.

    Prevent Messages From: If you chose to allow incoming messages but you want to prevent messages from specific Internet sites (IP addresses or DNS hostnames), add the sites to the Prevent Messages From list.

    Allow Messages From: Conversely, if you chose to prevent incoming messages but you want to allow messages from specific Internet sites (IP addresses or DNS hostnames), add the sites to the Allow Messages From list.

    If you want to allow messages where the user name is blank, add Blank-Sender-User-ID to the Allow Messages From list.

  6. Click SMTP Outgoing, then choose from the following options:

    SMTP Outgoing tab of the Edit Class of Service dialog box

    Inherit Access: Select this option if you want members of this class of service to inherit their SMTP Outgoing access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.

    Allow Outgoing Messages: Select this option to allow members of the class of service to send email messages over the Internet. You can use the Exceptions option to prevent messages from being sent to specific Internet sites.

    Prevent Outgoing Messages: Select this option to prevent members of the class of service from sending email messages over the Internet. You can use the Exceptions option to allow messages to be sent to specific Internet sites.

    Prevent Messages Larger Than: This option is available only if you chose Allow Outgoing Messages or Prevent Outgoing Messages.

    If you want to set a size limit on outgoing messages, specify the limit.

    Exceptions: This option is available only if you chose Allow Outgoing Messages or Prevent Outgoing Messages.

    If you chose to allow outgoing messages but you want to prevent messages from being sent to specific Internet sites (IP addresses or DNS hostnames), add the sites to the Prevent Messages To list.

    Conversely, if you chose to prevent outgoing messages but you want to allow messages to be sent to specific Internet sites (IP addresses or DNS hostnames), add the sites to the Allow Messages To list.

    Allow Replies: This option is available only if you chose Allow Outgoing Messages or Prevent Outgoing Messages.

    Turn on this option to allow the GWIA to send rule-generated replies to messages (such as vacation rule messages).

    In addition, you can use the /blockrulegenmsg startup switch to allow some types of rule-generated messages while blocking others.

    Exceptions: Click Exceptions to create a list of specific Internet addresses that are handled opposite to the Allow Replies setting.

    Allow Forwards: This option is available only if you chose Allow Outgoing Messages or Prevent Outgoing Messages.

    Turn on this option to allow the GWIA to forward rule-generated messages (which can be a security issue).

    In addition, you can use the /blockrulegenmsg startup switch to allow some types of rule-generated messages while blocking others.

    Exceptions: Click Exceptions to create a list of specific Internet addresses that are handled opposite to the Allow Forwards setting.

  7. Click IMAP4, then choose from the following options:

    Inherit Access: Select this option if you want members of this class of service to inherit their IMAP4 access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.

    Allow Access: Select this option to allow members of the class to send and receive messages with an IMAP4 client.

    Prevent Access: Select this option to prevent members of the class from sending and receiving messages with an IMAP4 client.

  8. Click POP3, then choose from the following options:

    Inherit Access: Select this option if you want members of this class of service to inherit their POP3 access from a class of service assigned at a higher level. For example, a post office inherits the domain’s access. If the domain is not a member of a class of service, the post office inherits the default class of service.

    Allow Access: Select this option to allow members of the class to download their GroupWise messages to a POP3 client.

    Prevent Access: Select this option to prevent downloading GroupWise messages to a POP3 client.

    Delete Messages from GroupWise Mailbox after Download: This option applies only if you selected Allow Access.

    If you turn on this option, messages downloaded from a GroupWise Mailbox to a POP3 client are moved to the Trash folder in the GroupWise Mailbox.

    POP3 client users can enable this option by using the userID:d login option when initiating their POP session. For more information, see User ID Login Options.

    Purge Messages from GroupWise Mailbox after Download: This option applies only if you selected Allow Access.

    If you turn on this option, messages downloaded from a GroupWise Mailbox are moved to the Mailbox’s Trash folder and then emptied, completely removing the messages from the Mailbox.

    POP3 client users can enable this option by using the userID:p login option when initiating their POP session. For more information, see User ID Login Options.

    Convert Messages to MIME Format When Downloading: This option applies only if you selected Allow Access.

    If you turn on this option, messages downloaded to a POP3 client are converted to the MIME format.

    POP3 client users can enable this option by using the userID:m login option when initiating their POP session. They can disable it by using the userID:n login option; this converts messages to RFC-822 format. For more information, see User ID Login Options.

    High Performance on File Size Calculations: This option applies only if you selected Allow Access.

    POP3 clients calculate the size of each message file before downloading it. Turn on this option if you want to assign a size of 1 KB to each message file. This eliminates the time associated with calculating a file’s actual size.

    POP3 client users can enable this option by using the userID:s login option when initiating their POP session. For more information, see User ID Login Options.

    Number of Days Prior to Today to Get Messages From: This option applies only if you selected Allow Access.

    Select the number of days to go back to look for GroupWise Mailbox messages to download to the POP3 client. The default is 30 days.

    POP3 client users can override this option by using the userID:t=x login option when initiating their POP session. For more information, see User ID Login Options.

    Maximum Number of Messages to Download: This option applies only if you selected Allow Access.

    Select the maximum number of messages a user can download at one time from a GroupWise Mailbox to a POP3 client. The default is 100 messages.

    POP3 client users can override this option by using the userID:l=x login option when initiating their POP session. For more information, see User ID Login Options.

  9. Click OK to display the Select GroupWise Object dialog box.

    Select GroupWise Object dialog box
  10. Select Domains, Post Offices, Distribution Lists, or Users to display the list you want.

  11. In the list, select the domain, post office, distribution list, or user you want, then click Add to add the object as a member in the class. You can Control+click or Shift+click to select multiple users.

    Access Control Settings property page with the new class of service and its members displayed
  12. To add additional domains, post offices, distribution lists, or users as members of the class of service, select the class of server, then click Add to display the Select GroupWise Object dialog box.

  13. Click OK (on the Settings page) when you are finished adding members.

54.1.3 Testing Access Control Settings

If you created multiple classes of service, you might not know exactly which settings are being applied to a specific object (domain, post office, distribution list, or user) and which class of service the setting is coming from. To discover an object’s settings, you can test the object’s access.

  1. In ConsoleOne, right-click the GWIA object, then click Properties.

  2. Click Access Control > Settings to display the Access Control Settings page.

    Access Control Settings property page
  3. Click Test to display the Select GroupWise Object dialog box.

    Select GroupWise Object dialog box

    You use this dialog box to select the object (domain, post office, distribution list, or user) whose access you want to test.

  4. Select Domains, Post Offices, Distribution Lists, or Users to display the list you want. For example, if you want to see what access an individual user has, select Users.

  5. In the list, select the object you want to view, then click View Access.

    The tabbed pages show the access control settings for SMTP Incoming, SMTP Outgoing, IMAP4, and POP3 as they are applied to that user, distribution list, post office, or domain.

    View Access dialog box
  6. To view the source for a specific setting, select the setting in the Setting box

    The Setting Source fields display the class of service being applied to the object. It also displays the Member ID through which the class is being applied.

    View Access dialog box with the Setting tab open
  7. When you are finished, click OK.

54.1.4 Maintaining the Access Control Database

The Access Control database stores the information for the various classes of service you have created. If any problems occur with a class of service, you can validate the database to check for errors with the records and indexes contained in the database. If errors are found, you can recover the database.

The Access database, gwac.db, is located in the domain\wpgate\gwia directory.

Validating the Database

  1. In ConsoleOne, right-click the GWIA object, then click Properties.

  2. Click Access Control > Database Management to display the Database Management page.

    Database Management property page
  3. Click Validate Now.

  4. After the database has been validated, click OK.

  5. If errors were found, see Recovering the Database below.

Recovering the Database

If you encountered errors when validating the database, you must recover the database. During the recovery process a new database is created and all intact records are copied to the new database. Some records might not be intact, so you should check the classes of services to see if any information was lost.

  1. In ConsoleOne, right-click the GWIA object, then click Properties.

  2. Click Access Control > Database Management to display the Database Management page.

    Database Management property page
  3. Click Recover Now.

  4. Click OK.

  5. Check your class of service list to make sure that it is complete.